, , , , , , , , , ,

Some years ago, when I just did normal PC maintenance monkeywork, an employer decided to resurrect a load of mothballed PCs. Despite the meticuluous record keeping in that place, the passwords for those machines were long forgotten. None of us had a Microsoft Windows installation disc either.
The following is a useful trick for anyone finding themselves in a similar situation. It assumes no drive encryption’s used, and that relatively weak passwords were set. This post will also demonstrate how easy it is to compromise the average desktop system, and provide a few countermeasures.

The Ingredients
For this, you’ll need:
* A fairly high-performance computer.
* a Linux live CD.
* Cracking software.
* Ideally the permission of whoever owns the Windows PC.

There are numerous password cracking programs available, as a quick Google search will reveal. Some cost money, many others are script kiddy programs with a malware payload. I strongly recommend using one that’s included with a freely-available security Linux distribution such as BackTrack, Blackbuntu or Matriux. This should be downloaded from the developer’s site, or another directly linked to it.

Another Linux live CD is also required here, and this should be a small OS, like PuppyOS, Knoppix or Damn Small Linux, that runs comfortably on a low performance machine. Not all PCs will have a DVD drive, the ability to boot from a USB device, or enough memory to run a larger distro. We only need this CD for browsing the target machine’s filesystem and get the hash values of the passwords to crack.

The final ingredient is the explicit permission of whoever owns the machines. Accessing PCs and cracking passwords is normally illegal without that, and a gross invasion of privacy.

Gaining Access
When a password is entered in a Windows login screen, its hash value is compared to the relevant entry in a password file. If there’s a match, the user is logged in. Basically the plan here is to bypass the Windows OS, acquire the password hash for the admin account, and then crack it using a cracking program on a higher-performance machine.

The first step is to get Linux running as the target machine’s OS, which would enable the browsing, modification and copying of whatever files without having to log into Windows. For this to hapen, the BIOS must be configured to boot the machine from the CD/DVD drive instead of the hard disk.

In some cases the BIOS menu is protected by a password. The way around this is to open the PC’s case and remove the battery from the motherboard for a few seconds. This wipes the user settings, including any BIOS passwords. The menu can then be accessed next time the machine’s switched on.

Once the BIOS is confgured, exit the menu and restart the machine. Hopefully it’ll load the Linux OS without any issues, and a desktop should appear after a few minutes. Now we have access to all the files on the local machine.

Cracking the Account Password
What we’re after is something called the SAM file, which is located in the C:\WINDOWS\System32\Config directory:

This file can either be copied to a USB drive, or the hash value of the root/admin password can be noted. This value is what cracking programs test possibilities against until the original password is determined. As I’ve mentioned, the chances are the password is weak, and a high-spec system can bruteforce it within seconds, minutes or hours. The stronger the password is, the longer it takes.

Securing the Windows Desktop
So we know one way (among several) passwords can be cracked for a desktop computer. Preventing it involves making all the above hard as possible.

* Ensure the hard drive is configured as the primary boot device, and set a password for the BIOS.
* The physical security of the PC is important. Secure the case so that nobody can easily remove the internal drives or the battery from the motherboard.
* Set strong passwords for the admin/root and user accounts on the PC.
* Access to the admin account should be restricted to the owner of the machine, or the organisation’s IT staff.
* Having a recovery plan is also an aspect of information security. When purchasing a new Windows PC, make damn sure the supplier provides a Windows installation disk. A ‘recovery partition’ is useless if the drive itself fails.
* Consider using drive encryption.